目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1325

100%
请我们喝杯咖啡

CVE-2020-1472 PoC — Microsoft Windows Netlogon 安全特征问题漏洞

来源
https://github.com/CanciuCostin/CVE-2020-1472
关联漏洞
标题:Microsoft Windows Netlogon 安全特征问题漏洞 (CVE-2020-1472)
Description:Microsoft Windows Netlogon是美国微软(Microsoft)公司的Windows的一个重要组件,主要功能是用户和机器在域内网络上的认证,以及复制数据库以进行域控备份,同时还用于维护域成员与域之间、域与域控之间、域DC与跨域DC之间的关系。 Microsoft Windows Netlogon 存在安全漏洞。攻击者可以使用 Netlogon 远程协议 (MS-NRPC) 建立与域控制器的易受攻击的 Netlogon 安全通道连接并进行特权提升。
Description
CVE-2020-1472 - Zero Logon vulnerability Python implementation
介绍
![Python][python-shield]

# CVE-2020-1472

CVE-2020-1472 - Zero Logon vulnerability Python implementation

## Description

* A Python script which uses the Impacket library to test for CVE-2020-1472 - Zerologon vulnerability (credits to Secura research).
* The flaw stems from the Netlogon Remote Protocol, available on Windows domain controllers, which is used for various tasks related to user and machine authentication.
* Specifically, the issue exists in the usage of AES-CFB8 encryption for Netlogon sessions. The AES-CFB8 standard requires that each “byte” of plaintext have a randomized initialization vector (IV), blocking attackers from guessing passwords. However, Netlogon’s ComputeNetlogonCredential function sets the IV to a fixed 16 bits – not randomized –  meaning an attacker could control the deciphered text.
* "Due to incorrect use of an AES mode of operation it is possible to spoof the identity of any computer account (including that of the [Domain Controller] itself) and set an empty password for that account in the domain,” according to Secura researchers.

![Description](https://media.threatpost.com/wp-content/uploads/sites/103/2020/09/15102209/microsoft-window-attack.png)

* The script attempts to perform Netlogon authentication bypass. The script will terminate when succesfully 
performing the bypass.
* When a domain controller is patched, the script will stop after sending 2000 pairs of RPC calls (target is not vulnerable with a false negative chance of 0.04%).
* Note that by default this changes the password of the domain controller account. This allows to DCSync, but it also breaks communication with other DCs.
* More info and original research [here](https://www.secura.com/blog/zero-logon)

## Prerequisites

```
pip install impacket
```
or Download the impacket release [here](https://github.com/SecureAuthCorp/impacket/releases). Unpack it, and in the directory where you placed it, run:
```
pip install .
```

## Usage

Given a domain controller named `DC-NAME` with IP address `X.X.X.X`, run the script as follows:

    python cve-2020-1472.py DC-NAME X.X.X.X

The DC name is the NetBIOS computer name. If this name is not correct, the script will fail with a 
`STATUS_INVALID_COMPUTER_NAME` error.

[python-shield]: https://img.shields.io/badge/python-3.6-green
文件快照

登录后查看神龙缓存的 POC 文件快照

登录查看
备注
    1. 建议优先通过来源进行访问。
    2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
    3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →